Tweet
Bookmark this on Delicious
Download PHP Security Toolbox: PHPST_v1-0.zip
PHP Security Toolbox aims to assist you in detecting security vulnerabilities in your website source code. While this might be a very general statement, we could mention the following specific examples:
- Detecting unauthorized source code variations, and more generally file changes
- Detecting unauthorized file permissions changes
- Detecting the creation or deletion of new files on the web server
- Detecting potential sql injections
- Etc ...
The basic idea underlying the script is that relatively easy security checks can have a strong impact on your website security. A very simplistic example is that of tracking all file changes or permissions changes that occur from one backup of your web directory to another. The first version of PHP Security Toolbox will actually deal only with this, and more features will be added later on. You will be surprised to hear that using such a basic tool allowed me to uncover two security intrusions on one of my websites (which had been hijacked in an attempt to serve malware to my users).
Upon detection, cleaning your source code is then relatively easy if you monitor source code changes continuously ... Give it a try, and you might be surprised by what you uncover !
Obviously, this script was tailor-made for a web server environment (i.e. for a "reasonable" number of "reasonably large" files). However, PHP Security Toolbox will run just fine on your home computer (provided you have a local server with PHP such as WAMP installed on your machine). Nonetheless, if you run certain analyses with PHP Security Toolbox over your whole C: drive, don't be surprised by the processing time :) As I said previously, this script was made to analyze websites source code in the first place ...
Installing PHP Security Toolbox on your machine is a straightforward process. Just unzip the files of PHPST_vx-x.zip within the folder of your choice (with the sole requirement that all files be in the same folder). Then launch the file security.php in your web browser and you're good to go ! Upon opening security.php in your web browser, the following page shall display:
You can now decide to:
Path to the folder to scan
If security.php is contained in the folder ./main, and you want to analyze the folder ./main/folder, then you will need to enter the relative path ./folder
Snapshot will be saved in
Snapshot IDs are saved as text files; a default filename is proposed at the time you open security.php: this is by default the time of your web server, which will allow you to easily order your snapshot IDs. If you wish to pick a different filename, you can do so by modifying this field accordingly.
Example
Let's consider the example of a folder example contained within the same folder as security.php. This folder contains:
This will create a text file "110611-18h35m38s.txt" in the root folder (the folder containing security.php), containing the following:
What you can see is that, for each file contained in the folder example, a record has been made in the text file containing:
Now that you know how to create snapshots of your web folders, you can compare any two of them:
We created a second snapshot after modifying our example folder as follows:
Here is the output of the PHP Security Toolbox script when you compare the two snapshots:
As can be seen above, our PHP script did a great job of identifying all changes that were to our folder !
Back to computer forums
Bookmark this on Delicious
PHP Security Toolbox - Download the script
Download PHP Security Toolbox: PHPST_v1-0.zip
PHP Security Toolbox - Main purpose of PHP Security Toolbox
PHP Security Toolbox aims to assist you in detecting security vulnerabilities in your website source code. While this might be a very general statement, we could mention the following specific examples:
- Detecting unauthorized source code variations, and more generally file changes
- Detecting unauthorized file permissions changes
- Detecting the creation or deletion of new files on the web server
- Detecting potential sql injections
- Etc ...
The basic idea underlying the script is that relatively easy security checks can have a strong impact on your website security. A very simplistic example is that of tracking all file changes or permissions changes that occur from one backup of your web directory to another. The first version of PHP Security Toolbox will actually deal only with this, and more features will be added later on. You will be surprised to hear that using such a basic tool allowed me to uncover two security intrusions on one of my websites (which had been hijacked in an attempt to serve malware to my users).
Upon detection, cleaning your source code is then relatively easy if you monitor source code changes continuously ... Give it a try, and you might be surprised by what you uncover !
Obviously, this script was tailor-made for a web server environment (i.e. for a "reasonable" number of "reasonably large" files). However, PHP Security Toolbox will run just fine on your home computer (provided you have a local server with PHP such as WAMP installed on your machine). Nonetheless, if you run certain analyses with PHP Security Toolbox over your whole C: drive, don't be surprised by the processing time :) As I said previously, this script was made to analyze websites source code in the first place ...
PHP Security Toolbox - Pre-requisites to running the script on your web server / local machine
- PHP Security Toolbox is written in PHP, which means you'll need a PHP interpreter in order to run the script. While PHP comes with any decent shared hosting plan these days, you might also get a free PHP server in order to run it locally on your home computer. A good free web server working just great for our purpose is WAMP.
- You will need to install the script files anywhere on your web server (preferably in the same folder as the folder(s) you wish to analyze)
- You will also need to specify a folder to analyze, typically a whole backup folder containing your website files. The path to this folder will be relative to the path of the script
- Depending on your web server configuration, the script will need to be able to remove any timeout limit (because a scan can take anytime from a few seconds to a few minutes to an hour, depending on the number and sizes of files to analyze)
PHP Security Toolbox - Installing PHP Security Toolbox on your machine
Installing PHP Security Toolbox on your machine is a straightforward process. Just unzip the files of PHPST_vx-x.zip within the folder of your choice (with the sole requirement that all files be in the same folder). Then launch the file security.php in your web browser and you're good to go ! Upon opening security.php in your web browser, the following page shall display:
You can now decide to:
- Create a snapshot, that is to say scan a folder and create his ID file which represents the state of this folder (files included within, ...) at a given point in time
- Compare 2 different snapshots, that is to say identify the differences between two different versions of your websites at two different times
PHP Security Toolbox - Scanning a folder
Path to the folder to scan
If security.php is contained in the folder ./main, and you want to analyze the folder ./main/folder, then you will need to enter the relative path ./folder
Snapshot will be saved in
Snapshot IDs are saved as text files; a default filename is proposed at the time you open security.php: this is by default the time of your web server, which will allow you to easily order your snapshot IDs. If you wish to pick a different filename, you can do so by modifying this field accordingly.
Example
Let's consider the example of a folder example contained within the same folder as security.php. This folder contains:
- An image "example_image.bmp"
- A folder "example_folder", itself containing a text file "example_text.txt"
This will create a text file "110611-18h35m38s.txt" in the root folder (the folder containing security.php), containing the following:
What you can see is that, for each file contained in the folder example, a record has been made in the text file containing:
- Filename: for instance example/example_folder/example_test.txt
- Filesize: 0 here (empty text file)
- File permissions (CHMOD permissions): 666 here (the file is readable and writable by everyone, but cannot be executed by anyone)
- File hash signature: allows us to identify the content of the file in a unique way (with an extremely high probability). In order to achieve this, PHP Security Toolbox uses the sha512 hash algorithm
-
Only check for changes in filesizes and permissions (faster): selecting this option will later prevent you from comparing this snapshot with another one based on content, that is to say you will be able to check for filenames and filesizes only.
Note that, even though most of the time two different files will have different filesize, you can never be sure that 2 files are different unless you really compare their content (an intruder might be malicious enough to keep both filesize and modification date unchanged so that you believe that no change occurred).
However, selecting this option will reduce your computing time quite a bit (because the script won't have to compute hash signatures anymore) - Only check files which are less than 1Gb (considerably faster - Recommended): this option allows you to skip large files (>1Gb). This is mainly in order to avoid having to compute filesizes of files larger than 2Gb (the PHP function filesize does not function properly on files larger than 2Gb). Computing filesizes of files larger than 2Gb can be super time-consuming, and I would advise against doing this. If you ever decide to do so, make sure that you are not on a shared hosting plan, otherwise your plan may be cancelled for resources abuse.
PHP Security Toolbox - Comparing two scans (at different points in time)
Now that you know how to create snapshots of your web folders, you can compare any two of them:
- Fill the 2 fields "Path to the Snapshot 1" and "Path to the Snapshot 2" and click Compare
- What you need to know here is that the PHP Security Toolbox script will perform a comparison based on filenames relative to the folder which was analyzed: if you created a snapshot for the folder example1 and a snapshot for the folder example2, comparing these 2 snapshots will output that all files from example1 were deleted and all files from example2 were newly created. When you want to compare two folders, make sure that the name of these two folders were the same when their snapshots were created; if they were different, you can modify the snapshot file using the "find/replace" function of Notepad in order to adjust all folder names
We created a second snapshot after modifying our example folder as follows:
- example_image.bmp was renamed to example_image_2.bmp
- example/example_image.bmp was renamed to example/example_image_2.bmp example/example_folder/example_test.txt was modified: originally empty, it now contains the words "Hello World"
Here is the output of the PHP Security Toolbox script when you compare the two snapshots:
As can be seen above, our PHP script did a great job of identifying all changes that were to our folder !
If you find a bug in this software , please report it on the PHP Security Toolbox forum.
Back to computer forums